SSH Security: Change Default Port

TL;DR

Changing your SSH port from the default (22) adds a layer of security by reducing automated attacks. This is most effective when you’ve also disabled password authentication and use SSH keys instead.

Why Change Your SSH Port?

The default SSH port, 22, is constantly scanned by bots attempting to gain access to servers using common usernames and passwords. Changing the port doesn’t *prevent* attacks, but it significantly reduces the noise – meaning fewer attempts to crack your system. It’s a simple step that makes you less visible to automated attackers.

Prerequisites

• You have SSH access to your server.
• You have root or sudo privileges.
• Password authentication is disabled (strongly recommended). Using SSH keys is much more secure.

Steps to Change Your SSH Port

1. Edit the SSH Configuration File: Open the SSH configuration file using a text editor with root/sudo privileges.

   sudo nano /etc/ssh/sshd_config

2. Find and Modify the Port Directive: Locate the line that says #Port 22. Remove the ‘#’ to uncomment it, and change ’22’ to a port number between 1024 and 65535 (avoid well-known ports). For example:

   Port 2222

3. Check for Multiple Port Directives: Ensure there aren’t multiple Port directives defined. If there are, comment out any others you don’t intend to use.
4. Restart the SSH Service: Apply the changes by restarting the SSH service.
   The command varies depending on your Linux distribution:
   • Systemd (most modern distributions):

     sudo systemctl restart sshd

   • SysVinit (older distributions):

     sudo service ssh restart

5. Update Firewall Rules: Allow traffic on the new port through your firewall. The commands depend on your firewall software.
   • UFW (Ubuntu/Debian):

     sudo ufw allow 2222

   • Firewalld (CentOS/RHEL/Fedora):

     sudo firewall-cmd --permanent --add-port=2222/tcp

     sudo firewall-cmd --reload

6. Test the Connection: Connect to your server using the new port. You’ll need to specify the port with the -p option.

   ssh user@your_server_ip -p 2222

7. Verify Old Port is Blocked: Confirm that you can no longer connect on the default port (22). This confirms your firewall changes are working.

Important Considerations

• SSH Keys: This change is most effective when combined with SSH key authentication and disabled password logins.
• Firewall: Always update your firewall rules to reflect the new port. Failing to do so will lock you out of your server!
• Port Selection: Choose a port number that isn’t already in use by another service on your server.
• Documentation: Keep a record of the new SSH port for future reference.